cbcvebase.
CVE-2017-16608
published 2018-01-23

CVE-2017-16608: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.31%
89.9th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within exec.jsp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current user. Was ZDI-CAN-4749.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgain-systemsenterprise_manager< 7.2.7667.2.766
netgain_systemsnetgain_systems_enterprise_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[target]:8081/u/jsp/tools/exec.jsp?command=cmd%20%2Fc%20ping%20%7C%7C%20mkdir%20C%3A%5CUsers%5CPublic%5Cfun%20%7C%7C&argument=127.0.0.1&async_output=nessus_56043399
path/u/jsp/tools/exec.jsp
commandcmd /c ping || mkdir C:\Users\Public\fun ||
port8081
  • The patch in version 7.2.586 build 877 is incomplete; detections should not assume patched builds are safe if the command parameter can still be manipulated with pipe/OR operators after the required prefix.
  • Look for unauthenticated GET/POST requests to exec.jsp on port 8081 with a 'command' parameter starting with 'cmd /c ping' or 'ping -c 5' followed by additional shell operators.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.